Article Content

Article Number

000020800

Applies To

RSA ClearTrust Agent 3.5 for Apachechroot

Issue

Using chroot command with an Apache server protected by RSA ClearTrust

Resolution

It is common practice (but not universal) to run Apache web servers in what may be referred to as a "chroot'ed" environment. This is where before execution of the command to start the web server (or any other process), the chroot command is used to put the user/process into an environment where a named directory appears to be the root of the entire file system, for example:

For a more technical description about chroot, see your operating system documentation.

There is a significant amount of work to be done to allow applications to exist in this environment. In fact, the above example would fail because you must copy /usr/bin/sh into /export/home/usr/bin/sh before you could run the command. A common end result is that you might have to copy more than 100 operating system files to allow something as complex as a web server to run. The impact is that any users who connect to the web server - regardless of all the hacking they employ - will never be able to damage anything outside of the chrooted system.

NOTE: RSA Security has not been involved in testing RSA ClearTrust code in this environment, so it is currently not possible to advise about its effects. As a general policy (due to no specific standard being in effect), RSA Security is not able to assist customers running applications in these sorts of environments. For more information, see the solution regarding RSA Security Products and system hardening.